[
https://issues.apache.org/jira/browse/PHOENIX-4198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16165100#comment-16165100
]
Andrew Purtell commented on PHOENIX-4198:
-----------------------------------------
I think Phoenix should use HBase native security features, there is no need to
require use of a third party component like Ranger or Sentry. If Ranger or
Sentry offer something compelling, fine, a user is free to pick them up and use
them, but mandating them is IMHO mandating user lock-in on something external
to HBase+Phoenix for what is a core functional concern (protection of SYSTEM
tables). That is the wrong approach. HBase+Phoenix should natively provide
protection of SYSTEM tables as required.
Also, there are already a lot of downstream dependencies for a Phoenix build
due to all of the connector modules, and the cross-product of these already
present a challenge to DIY-ers trying to orchestrate a whole stack for
production.
> Remove the need for users to have access to the Phoenix SYSTEM tables to
> create tables
> --------------------------------------------------------------------------------------
>
> Key: PHOENIX-4198
> URL: https://issues.apache.org/jira/browse/PHOENIX-4198
> Project: Phoenix
> Issue Type: Bug
> Reporter: Ankit Singhal
> Assignee: Ankit Singhal
> Labels: namespaces
> Fix For: 4.12.0
>
> Attachments: PHOENIX-4198.patch
>
>
> Problem statement:-
> A user who doesn't have access to a table should also not be able to modify
> Phoenix Metadata. Currently, every user required to have a write permission
> to SYSTEM tables which is a security concern as they can
> create/alter/drop/corrupt meta data of any other table without proper access
> to the corresponding physical tables.
> [~devaraj] recommended a solution as below.
> 1. A coprocessor endpoint would be implemented and all write accesses to the
> catalog table would have to necessarily go through that. The 'hbase' user
> would own that table. Today, there is MetaDataEndpointImpl that's run on the
> RS where the catalog is hosted, and that could be enhanced to serve the
> purpose we need.
> 2. The regionserver hosting the catalog table would do the needful for all
> catalog updates - creating the mutations as needed, that is.
> 3. The coprocessor endpoint could use Ranger to do necessary authorization
> checks before updating the catalog table. So for example, if a user doesn't
> have authorization to create a table in a certain namespace, or update the
> schema, etc., it can reject such requests outright. Only after successful
> validations, does it perform the operations (physical operations to do with
> creating the table, and updating the catalog table with the necessary
> mutations).
> 4. In essence, the code that implements dealing with DDLs, would be hosted in
> the catalog table endpoint. The client code would be really thin, and it
> would just invoke the endpoint with the necessary info. The additional thing
> that needs to be done in the endpoint is the validation of authorization to
> prevent unauthorized users from making changes to someone else's
> tables/schemas/etc. For example, one should be able to create a view on a
> table if he has read access on the base table. That mutation on the catalog
> table would be permitted. For changing the schema (adding a new column for
> example), the said user would need write permission on the table... etc etc.
> Thanks [~elserj] for the write-up.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
